1. Field
This disclosure is generally related to user authentication. More specifically, this disclosure is related to using an authenticated channel to authenticate a user.
2. Related Art
Authenticating a user involves verifying the user's identity. Broadly, authentication can involve something a user has (e.g., an ID card), something the user knows (e.g., a password), or something physically associated with the user (e.g., a fingerprint).
A computer system typically authenticates a user by presenting username and password input fields to the user. Once the user enters the correct username and password in these fields, the system allows the user to access their account or run specific applications. The computer system typically verifies that the password is correct by performing a lookup based on the username in a password store accessible to the computer system.
Although passwords provide some security to prevent unauthorized access, passwords are relatively easy to steal. For example, a Trojan Horse application can steal passwords from a user's machine and send them back to the hacker. A Trojan Horse application can scan the registry looking for the passwords or scan other files on the disk looking for passwords. Passwords can also be lost, guessed (e.g., birthdays are generally a good guess), or tapped while in transit (e.g., through eavesdropping of a wireless network). Moreover, since a user often uses the same password in multiple places, a discovered password can open the door to those multiple places. Finally, passwords are rarely of a length or complexity that makes them secure. For example, many people choose English words as passwords or 6 digit letter combinations as passwords. Such passwords can often be cracked by a password-cracking program. Once the username is provided, a password cracker can fill in the password field until it secures access.
Other authentication methods include PKI (Public Key Infrastructure) certificates, login tokens, smart cards, and other personal information. A PKI binds a user's public key with a unique user identity through a CA (Certificate Authority), typically a third party. A PKI certificate combines a user's digital signature and a user's public key with another identifier (e.g., a user's real name). The user can use the certificate to show that the user owns the claimed public key. Typically, a digital signature is required for the PKI certificate. This signature can either be made by an authority figure who assigns the certificates, the person whose identity is being confirmed, or even endorsers of the public key. The digital signature is a way for other parties and people to verify that a person is, in fact, the owner of the public key they claim is their own. One shortcoming of a PKI is that the CA must be trusted by all parties involved.
A login token is a client-side certificate that is stored in the user's browser. When the user attempts to access a restricted page, a secure server can ask the user's browser to present such a client-side certificate and to prove that the user is the actual owner. Typically, a login server issues a fixed-duration login token at login time. The login server also issues a fixed-duration granting token every time the user wants to access a new secured site. When the user tries to access a secured application, the application will check for the presence of a granting token. If found, the system will issue a fixed-duration session token. The session token exists for the duration of the user's session with that application. In short, login tokens enable logins to the portal without a password. A hash key to the login token is typically stored in the system. As a result, a malicious user can retrieve this key and attempt to reverse engineer the key to generate unauthorized login tokens.
Smart cards are devices that plug into a computer's USB to authenticate a user. Unfortunately, smart cards, like car keys, can be stolen and used to masquerade as a user. Specifically, since smart cards may not be used by the user frequently, the user may not realize that his or her smart card has been stolen for many hours or days. Moreover, the information contained in a smart card can be tapped and copied if smart cards are used for network access. Other personal information used for identification (e.g., birthdays, Social Security numbers, and addresses) can also be obtained relatively easily. In short, conventional techniques for authenticating a user suffer from various drawbacks.